Nine Threats to the Global Security LandscapeBy Steve Durbin
The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of today’s most trusted organizations. Attackers have become more organized, attacks are more refined and all threats are more dangerous, and pose more risks, to an organization’s reputation. In addition, brand reputation and the trust dynamic that exists among suppliers, customers and partners have become very real targets for cyber-criminals and hacktivists.
According to the Ponemon Institute’s 2014 Cost of Data Breach Study: United States, the average cost for each lost or stolen record containing sensitive and confidential information increased from $188 to $201. The total average cost paid by organizations has also increased from $5.4 million to $5.9 million. In addition to the increase in cost, the Ponemon Institute found that companies are losing more customers following a data breach. Certain industries, especially financial services, continue to be most susceptible to high churn in the aftermath of a material data breach.
With the speed and complexity of the security threat landscape changing on a daily basis, too many times organizations are left behind. Sometimes they’re left in the wake of reputational and financial damage. In today’s global, connected society, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, organizations need to manage risks in ways beyond those traditionally handled by the information security function, since new attacks will impact both business reputation and shareholder value.
At the Information Security Forum, Threat Horizon 2017, the latest in our annual series of reports which provide businesses a forward-looking view of the increasing threats in today’s always-on, interconnected world, was released. In Threat Horizon 2017, it highlighted the top nine emerging threats, as determined by ISF research, to information security over the next two years.
Here’s a quick look at these threats and what they mean for your organization:
Increased Connectivity Speeds Present Issues in Organizational Response Time
Reasonably priced gigabit connectivity will become widely available to supply the growing demands of devices and users, providing speeds up to 100 times faster than current services in most countries. This will be a dramatic leap forward, increasing both data volume and velocity and providing new business opportunities. As billions of devices are connected, there will be more ‘data in flight’ that must be managed. Conventional malicious use will increase rapidly, resulting in cascading failures between sectors. It will enable new and previously impracticable avenues for destructive activity online, increasing financial and reputational liabilities and overwhelming traditional defenses.
Gigabit connectivity will enable the Internet of things (IoT) and a new class of applications to emerge that will exploit the combination of big data, GPS location, weather, personal-health monitoring devices, industrial production and much more. Connectivity will be so cheap and prevalent that sensors will be embedded everywhere, increasing the flood of data and creating an ecosystem of embedded devices that are nearly impossible to secure. High bandwidth services that are unfeasible today will become standard as download speeds increase exponentially.
Criminal Organizations Become More Structured and Sophisticated
Criminal organizations will become more sophisticated, mature internally and migrate their activities online at greater pace. They will develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This will facilitate their diversification into new markets and the commoditization of their activities at a global level. Some of these organizations will have roots in existing criminal structures, while others will be new and focused purely on cyber-crime. Organizations will struggle to keep pace with this increased sophistication and the effects will be felt around the world.
Widespread Social Unrest Breaks Out Led by ‘Tech Rejectionists’
In response to record levels of socio-economic inequality, widespread social unrest will break out in countries around the world, led by “tech rejectionists.” Discontent will be motivated by uncertainty and confusion and inflamed by job losses and displacement due to globalization and automation.
Rejectionists will dismiss the benefits of technology-enabled globalization, pointing instead at the social and economic costs shouldered by those who are not among the economic elite. They will express themselves through protests, boycotts, strikes and violence, causing significant disruption to local and regional economies. Organizations with supply chains and investments in the affected regions will be caught in this chaos and forced to respond at short notice in order to avoid financial and reputational exposure.
Dependence on Critical Infrastructure Becomes Dangerous
Following several large cascading failures, hidden dependencies on digitally connected critical infrastructure will become transparent. Aging, poorly maintained and highly complex infrastructure will be exposed as internal systems are shown to be accessible from the public Internet. Infrastructure on which whole societies depend will be subjected to attacks and accidents that require significant resources and time to remediate. This will force governments and regulators to take a much closer look at critical infrastructure and the extent to which it is dangerously exposed. Many organizations will be caught unprepared for both the attacks and new regulations. As a consequence, they will be forced to update their resilience and invest in technology transformation programs.
Malicious Agents Weaponize Systemic Vulnerabilities
Targeted exploitation of widely distributed and homogenous technologies will occur frequently. This will have implications for the normal functioning of the Internet and the wider global economy. Malicious actors will weaponize systemic vulnerabilities in this technology monoculture, threatening the integrity of Internet infrastructure. Targets include government, critical infrastructure and other organizations of interest for economic and political reasons. This will force organizations to both invest in resilience and re-evaluate their technology strategies.
Legacy Technology Crumbles
Organizations will continue to prolong the life of their aging and unsupported hardware and software in an attempt to delay the costs of expensive technology transformation programs. This legacy technology will be scattered throughout the organization and include mainframes, portable devices, embedded sensors and other technology that is even more obscure. Even new technology will age more swiftly than suspected, as rapid development cycles and version releases accelerate obsolescence.
As digital connectivity inside and between organizations grows, legacy technology will be further exposed to attackers and a greater likelihood of accidents, resulting in damage exceeding anything that has come before. This will prompt a re-evaluation of ageing technology, particularly where maintenance is increasingly cost prohibitive. Modernization will be required to replace backlogs of legacy technology. The challenge will be to keep pace.
Disruption to Digital Systems Leads to Verifiable Human Deaths
Disruption to digital systems will lead to verifiable human deaths, after a long existence in the realm of science fiction. Most of these deaths will be caused by failures in cyber-physical systems. For advanced digital economies, the public response will be disproportionate relative to the number of deaths from more common causes, leaving organizations forced to respond.
Some of the first deaths will be caused by accidents with smart and self-guided cars, as well as degradation to GPS causing fatal disruption to air, naval and ground transport systems. This will be followed by hacking of Wi-Fi enabled medical devices and attacks on hospital networks including life support devices and surgery suites. There will be only a handful of deaths initially but they will generate far more attention than conventional causes of mortality. This will make it difficult for organizations to accurately assess cyber-physical risks and plan proportionate responses.
Global Consolidation of Organizations Endangers Competition and Security
Leading organizations, such as Google, Amazon, Facebook and Apple will continue to expand into increasingly connected regions, solidifying their commercial dominance globally. This will raise regulatory concerns for governments and organizations that are wary of the consolidated power of information companies and the monopolistic power they wield. This will be compounded by post-Snowden security concerns and US-based companies in particular will have to work harder to win the trust of potential international customers.
Security concerns will arise from heavy commercial and societal dependence on single-source providers and single points of failure. It will be difficult for organizations to maintain robust continuity plans when multiple critical services come from one provider and the lack of alternatives means that customers are locked to the provider. When major disruptions occur, whether they be malicious or accidental, they will impact whole sectors and when data breaches happen they will expose data from entire populations.
Cost and Scale of Data Breaches Increases Dramatically
The number of data breaches will grow along with the volume of compromised records, becoming far more expensive for organizations of all sizes. The first billion-person data breach will finally happen and be ruinously expensive for the company at fault. Costs will come from traditional areas such as network clean-up and customer notification as well as newer areas such as litigation involving a growing number of parties. Angry customers will pressure governments around the world to introduce tighter data protection legislation, bringing new and unforeseen costs. The resulting mess of international regulations will create new compliance headaches for organizations while doing little to deter attackers.
As dangers accelerate, disciplined and widespread commitment will be needed to ensure that practical plans are in place to deal with major changes the future could bring. Employees at every level of the organization will need to be involved, including board members and managers in non-technical roles.
The nine threats listed above expose the dangers that should be considered most prominent. They have the capacity to transmit their impact through cyberspace at break-neck speeds, particularly as the use of the Internet spreads. As a result, many organizations will struggle to cope as the pace of change intensifies. Consequently, at least until a conscious decision is taken to the contrary, the threats should appear on the radar of every organization, both small and large.
So…are you as ready as you could be?
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the clou, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.